Time to Pay Attention to ICS

A backlog of malware within ICS (industrial control systems) environments poses a threat to critical infrastructure that could have dire consequences.

Industrial Control Systems (ICS) tend to be “out of sight, out of mind,” as long as nothing goes wrong. These systems are essential to life in an advanced society, as they manage critical infrastructure including power plants, the electrical grid, hydro facilities, water and wastewater, transportation, manufacturing, and much more. Yet they tend to be taken for granted by everyone except their operators, until a failure or breach in an ICS system leads to a crisis that is visible enough to demand wider attention.

New research on the prevalence of malware within ICS environments suggests that IT and security professionals, in particular, should pay closer attention to the cyber-attacks within ICS networks.  The Dragos Threat Operations Center, after studying 15,000 malware samples from ICS environments over a three-month period, concluded that some 3000 industrial sites per year get infected with malware.

Much of the malware the researchers found came from common malware families, and may not – yet – have affected the ICS systems they inhabit. However one malware variant, posing as Siemens PLC (programmable logic controller) firmware, has been in circulation since 2013, and has been reported by 10 industrial sites in the U.S., Europe, and China. Another attack, dating back to 2011, was a phishing email that targeted multiple nuclear sites in the U.S. and other Western countries.

Aiming at the easier target

What makes ICS and SCADA (supervisory control and data acquisition) systems such attractive targets for hackers? They are generally regarded as being well prepared for physical threats such as fires and explosions, as well as physical events caused by hardware malfunction or failure. They are not however designed with cyberattacks in mind, which – at a time when they are increasingly networked to both proprietary systems and the Internet – poses a significant new dimension of threat.

Cyberattacks that target ICS environments aim to inflict “loss of view” and/or “loss of control” on the system’s operators. Documented attacks in 18 countries outside the U.S. have included:

  • The destruction of centrifuges in Iran’s nuclear facility (via the Stuxnet worm),
  • Damage to a blast furnace,
  • Tilting of an offshore oil rig, and
  • Significant environmental discharges. 

Within the U.S., attacks have included loss of electrical and water SCADA, damage to manufacturing lines, shutdown of HVAC systems, and damage to critical motors.

Strategies to mitigate risk

With so much malware already resident in ICS environments, and the prospect of an ICS breach leading to an infrastructure failure with disastrous consequences, government agencies in the U.S. and elsewhere are scrambling to raise awareness and mobilize the owners and operators of infrastructure assets.

Especially active is the U.S. Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), which has published a series of recommendations on how to identify and mitigate the cyber vulnerabilities of ICS environments. Some of its recommendations include:

  • Removing critical control systems from the public-facing Internet,
  • Ensuring that updates are performed securely and with documentation, and
  • Making critical systems unavailable to all but trusted users.

A useful addition to these suggestions would be recognizing that the components of networked ICS systems also function, in effect, as endpoints on their networks. If one can automate the process of identifying these endpoints’ deviations from their normal behavior, and generate actionable alerts to the analyst(s) responsible for securing the network, the cyber-risk within ICS and SCADA environments can be meaningfully reduced.

The endpoint modeling advantage

Endpoint modeling is an advanced threat-detection technology that creates and maintains a software model – a real-time simulation – of each of your networked resources. It automatically discovers the role and behavior of each of your IT assets, and then tracks that behavior continuously. If one of these assets begins to act abnormally, or in a way that is unexpected, endpoint modeling generates a real-time alert. Your security analysts can quickly investigate to determine if this behavior represents a threat, and if so, take effective action to remediate it.

Experience Dynamic Endpoint Modeling on Your Own Network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial